Until you've seen a 'malware/trojan/rootkit' that actually writes to eeproms, don't dismiss the theory so quickly. I speak from experience, as I actually got hit with that very malady around 4Q 2004. This particular offering (not sure what else to call it) did indeed flash the bios in two networked computers. On a laptop that had the bios password set, it would continually boot to the bios password prompt in order to continue the boot process (checkmate). When the bios was flashed by the malicious code, it obscured areas of the hard drives either by changing the geometry in the bios or in the firmware of the drive (not sure which). The onboard lan card operated almost independently, you would see packets streaming out before the computer had ever finished booting. The malicious code would spawn several virtual terminals in the background while booted in a windows session. Doing a reinstall and reformat resolved nothing because of hacked windows files stored in the hidden drive areas marked as bad sectors or obscured through geometry changes. Any reinstall would start normally from the cd, but you would observe at some point foreign (unsual) files and drivers begin to load. All ACLs were changed and since the malware had control at the bios level virtually all drivers were controlled at the lowest level. Every known AV, anti spyware, anti trojan and firewall was *deactivated* yet given the appearance of running normally. Though they scanned against empty signature files. In the case of a few popular firewalls, hacked drivers were loaded which rendered them useless. Try clicking the 'stop all internet activity' button on a firewall and have it say 'xxxx is unable to stop all internet activity.' This particular incident could go on for pages. Suffice it to say that the malicious code appeared to load an 'evil linux kernel' in a virtual minix looping file system using various empty memory areas in the firmware of devices. It was of course the ACPI interface that seemed to be the common thread in what type of low level interface was being used to manipulate the hardware. Certainly at the hardware abstraction layer would do the trick. I discovered much of this after booting with a linux rescue cd that was provided by a backup drive manufacturer. This is where I noticed that the initrd would get hijacked by an image that was written into my firmware. Recovering from this was virtually impossible. I now use a MAC. Not that it matters, I still have PC's, but everything (routers, av, utilites, password protection, encryption) now is industrial strength and wrapped up so tight it's worse than being at work. I suggest the following texts 'Exploiting Software HOW TO BREAK CODE' by Hoglund and McGraw; 'Malware Fighting Malicious Code' by Skoudis; 'Building Embedded Linux Systems' by Yaghmour.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11372/33017#33017